09-01-2016 09:50 AM - edited 03-10-2019 06:40 AM
We have a service policy that has a "Do not match" ACL to exempt certain traffic. This ACL is followed by a Match ACL for all other traffic. When I test matching traffic on the ASA by using "show service-policy flow..." command I can confirm that the excluded traffic does not match the service policy and other traffic does (see below)
However when I look at the logs on the Firepower, I see the unmatched traffic in the Connection Events log. If the traffic is excluded by the Service Policy, shouldn't that traffic bypass the Firepower? Why would I still see it in the connection logs?
Matched traffic:
ASA5516# show service-policy flow ip host 206.15.254.1 host 10.25.10.3
Global policy:
Service-policy: global_policy
Class-map: Firepower
Match: access-list global_mpc
Access rule: permit ip any any
Action:
Output flow: sfr fail-open
Class-map: class-default
Match: any
Action:
Unmatched traffic:
ASA5516# show service-policy flow ip host 206.15.130.13 host 10.25.70.3
Global policy:
Service-policy: global_policy
Class-map: class-default
Match: any
Action:
Thanks!
09-01-2016 10:25 AM
I should add, that the traffic that I'm seeing show up in Firepower is SIP traffic. The "Do not match" ACLs on the service policy are for all IP traffic to and from a group of IPs, so I don't know why SIP traffic would be matching.
10-05-2016 01:20 AM
I am having a very similar issue. About to open a TAC case. Did you get it resolved?
10-05-2016 05:16 AM
No, that traffic is still showing up in the Firepower logs. Please let me know what the TAC says. Thanks!
02-10-2017 01:09 PM
Not sure if you ever got this resolved, but I came across the same thing and found your post. I'm assuming you added an ACE to the ACL used by the class-map, and were surprised when the Connnection Events in SFR still showed that traffic?
What I found was that you had to do a 'clear conn' to force the flows to use the new settings. This is somewhat alluded to here:
Once I did a 'clear conn', I stopped seeing that traffic in the CE.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide